@fedify/fedify 1.2.10 → 1.2.11

package/CHANGES.md

@@ -3,6 +3,29 @@
 Fedify changelog
 ================
 
+Version 1.2.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.2.10
 --------------
 
@@ -227,6 +250,29 @@ Released on October 31, 2024.
 [#118]: https://github.com/dahlia/fedify/issues/118
 
 
+Version 1.1.11
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+
 Version 1.1.10
 --------------
 
@@ -492,6 +538,31 @@ Released on October 20, 2024.
 [#150]: https://github.com/dahlia/fedify/issues/150
 
 
+Version 1.0.14
+--------------
+
+Released on January 21, 2025.
+
+ -  Fixed several security vulnerabilities of the `lookupWebFinger()` function.
+    [[CVE-2025-23221]]
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the infinite number of redirects, which could lead to
+        a denial of service attack.  Now it follows up to 5 redirects.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to other than the HTTP/HTTPS schemes, which
+        could lead to a security breach.  Now it follows only the same scheme
+        as the original request.
+
+     -  Fixed a security vulnerability where the `lookupWebFinger()` function
+        had followed the redirects to the private network addresses, which
+        could lead to a SSRF attack.  Now it follows only the public network
+        addresses.
+
+[CVE-2025-23221]: https://github.com/dahlia/fedify/security/advisories/GHSA-c59p-wq67-24wx
+
+
 Version 1.0.13
 --------------
 

package/esm/runtime/url.js

@@ -38,7 +38,13 @@ export async function validatePublicUrl(url) {
     }
     // To prevent SSRF via DNS rebinding, we need to resolve all IP addresses
     // and ensure that they are all public:
-    const addresses = await lookup(hostname, { all: true });
+    let addresses;
+    try {
+        addresses = await lookup(hostname, { all: true });
+    }
+    catch {
+        addresses = [];
+    }
     for (const { address, family } of addresses) {
         if (family === 4 && !isValidPublicIPv4Address(address) ||
             family === 6 && !isValidPublicIPv6Address(address) ||

package/esm/webfinger/lookup.js

@@ -1,5 +1,7 @@
 import { getLogger } from "@logtape/logtape";
+import { validatePublicUrl } from "../runtime/url.js";
 const logger = getLogger(["fedify", "webfinger", "lookup"]);
+const MAX_REDIRECTION = 5; // TODO: Make this configurable.
 /**
  * Looks up a WebFinger resource.
  * @param resource The resource URL to look up.
@@ -25,9 +27,11 @@ export async function lookupWebFinger(resource) {
     }
     let url = new URL(`${protocol}//${server}/.well-known/webfinger`);
     url.searchParams.set("resource", resource.href);
+    let redirected = 0;
     while (true) {
         logger.debug("Fetching WebFinger resource descriptor from {url}...", { url: url.href });
         let response;
+        await validatePublicUrl(url.href);
         try {
             response = await fetch(url, {
                 headers: { Accept: "application/jrd+json" },
@@ -40,7 +44,23 @@ export async function lookupWebFinger(resource) {
         }
         if (response.status >= 300 && response.status < 400 &&
             response.headers.has("Location")) {
-            url = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
+            redirected++;
+            if (redirected >= MAX_REDIRECTION) {
+                logger.error("Too many redirections ({redirections}) while fetching WebFinger " +
+                    "resource descriptor.", { redirections: redirected });
+                return null;
+            }
+            const redirectedUrl = new URL(response.headers.get("Location"), response.url == null || response.url === "" ? url : response.url);
+            if (redirectedUrl.protocol !== url.protocol) {
+                logger.error("Redirected to a different protocol ({protocol} to " +
+                    "{redirectedProtocol}) while fetching WebFinger resource " +
+                    "descriptor.", {
+                    protocol: url.protocol,
+                    redirectedProtocol: redirectedUrl.protocol,
+                });
+                return null;
+            }
+            url = redirectedUrl;
             continue;
         }
         if (!response.ok) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@fedify/fedify",
-  "version": "1.2.10",
+  "version": "1.2.11",
   "description": "An ActivityPub server framework",
   "keywords": [
     "ActivityPub",

package/types/runtime/url.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAIA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CAqClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}
+{"version":3,"file":"url.d.ts","sourceRoot":"","sources":["../../src/runtime/url.ts"],"names":[],"mappings":"AAKA,qBAAa,QAAS,SAAQ,KAAK;gBACrB,OAAO,EAAE,MAAM;CAI5B;AAED;;GAEG;AACH,wBAAsB,iBAAiB,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,IAAI,CAAC,CA0ClE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,GAAG,OAAO,CASjE;AAED,wBAAgB,wBAAwB,CAAC,OAAO,EAAE,MAAM,WASvD;AAED,wBAAgB,iBAAiB,CAAC,OAAO,EAAE,MAAM,GAAG,MAAM,CAWzD"}

package/types/webfinger/lookup.d.ts.map

@@ -1 +1 @@
-{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AACA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAInD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CAmEpC"}
+{"version":3,"file":"lookup.d.ts","sourceRoot":"","sources":["../../src/webfinger/lookup.ts"],"names":[],"mappings":";AAEA,OAAO,KAAK,EAAE,kBAAkB,EAAE,MAAM,UAAU,CAAC;AAMnD;;;;;GAKG;AACH,wBAAsB,eAAe,CACnC,QAAQ,EAAE,GAAG,GAAG,MAAM,GACrB,OAAO,CAAC,kBAAkB,GAAG,IAAI,CAAC,CA2FpC"}